<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>The identity provider | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'saml-guide-idp.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/saml-guide-idp.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/saml-guide-idp.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/saml-guide-idp.html" rel="nofollow" target="_blank">../en/saml-guide-idp.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="saml-guide.html">Configuring SAML single-sign-on on the Elastic Stack</a></span>
»
<span class="breadcrumb-node">The identity provider</span>
</div>
<div class="navheader">
<span class="prev">
<a href="saml-guide.html">« Configuring SAML single-sign-on on the Elastic Stack</a>
</span>
<span class="next">
<a href="saml-guide-authentication.html">Configure Elasticsearch for SAML authentication »</a>
</span>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="saml-guide-idp"></a>The identity provider<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/saml-guide.asciidoc">edit</a>
</h2>
</div></div></div>
<p>The Elastic Stack supports the SAML 2.0 <em>Web Browser SSO</em> and the SAML
2.0 <em>Single Logout</em> profiles and can integrate with any Identity Provider (IdP)
that supports at least the SAML 2.0 <em>Web Browser SSO Profile</em>.
It has been tested with a number of popular IdP implementations.</p>
<p>This guide assumes that you have an existing IdP and wish to add Kibana as a
Service Provider.</p>
<p>The Elastic Stack uses a standard SAML <em>metadata</em> document, in XML format that
defines the capabilities and features of your IdP. You should be able to
download or generate such a document within your IdP administration interface.</p>
<p>Download the IdP metadata document and store it within the <code class="literal">config</code> directory on
each Elasticsearch node. For the purposes of this guide, we will assume that you are
storing it as <code class="literal">config/saml/idp-metadata.xml</code>.</p>
<p>The IdP will have been assigned an identifier (<em>EntityID</em> in SAML terminology)
which is most commonly expressed in <em>Uniform Resource Identifier</em> (URI) form.
Your admin interface may tell you what this is, or you might need to
read the metadata document to find it - look for the <code class="literal">entityID</code> attribute on the
<code class="literal">EntityDescriptor</code> element.</p>
<p>Most IdPs will provide an appropriate metadata file with all the features that
the Elastic Stack requires, and should only require the  configuration steps
described below. For completeness sake, the minimum requirements that the Elastic
Stack has for the IdP’s metadata are:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
An <code class="literal">&lt;EntityDescriptor&gt;</code> with an <code class="literal">entityID</code> that matches the Elasticsearch
<a class="xref" href="saml-guide-authentication.html#saml-create-realm" title="Create a SAML realm">configuration</a>
</li>
<li class="listitem">
An <code class="literal">&lt;IDPSSODescriptor&gt;</code> that supports the SAML 2.0 protocol
(<code class="literal">urn:oasis:names:tc:SAML:2.0:protocol</code>).
</li>
<li class="listitem">
At least one <code class="literal">&lt;KeyDescriptor&gt;</code> that is configured for <em>signing</em> (that is, it
has <code class="literal">use="signing"</code> or leaves the <code class="literal">use</code> unspecified)
</li>
<li class="listitem">
A <code class="literal">&lt;SingleSignOnService&gt;</code> with binding of HTTP-Redirect
(<code class="literal">urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect</code>)
</li>
<li class="listitem">
If you wish to support <a class="xref" href="saml-guide-authentication.html#saml-logout" title="SAML logout">Single Logout</a>, a <code class="literal">&lt;SingleLogoutService&gt;</code>
with binding of HTTP-Redirect
(<code class="literal">urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect</code>)
</li>
</ul>
</div>
<p>The Elastic Stack requires that all messages from the IdP are signed.
For authentication <code class="literal">&lt;Response&gt;</code> messages, the signature may be applied to either
the response itself, or to the individual assertions.
For <code class="literal">&lt;LogoutRequest&gt;</code> messages, the message itself must be signed, and the
signature should be provided as a URL parameter, as required by the HTTP-Redirect
binding.</p>
</div>
<div class="navfooter">
<span class="prev">
<a href="saml-guide.html">« Configuring SAML single-sign-on on the Elastic Stack</a>
</span>
<span class="next">
<a href="saml-guide-authentication.html">Configure Elasticsearch for SAML authentication »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>